[Freeswitch-users] Hacked FreeSWITCH mentioned on the Verge regarding bomb threats

Sergey Safarov s.safarov at gmail.com
Wed Mar 15 08:23:25 MSK 2017


I can add RPM package script that's change default password to random
Team, is required do to it?

ср, 15 марта 2017, 1:13 Mario G <mario_fs at mgtech.com>:

> That’s a better idea. If any phone is registered with 1234 you can’t dial
> out any gateway. You can have a big demo but no outside connection. Going
> outside requires changing the password on all phones.
>
> On Mar 14, 2017, at 2:40 PM, Michael Jerris <mike at jerris.com> wrote:
>
> The demo config includes no way to dial out of a gateway…
>
>
> On Mar 14, 2017, at 5:06 PM, David Villasmil <
> david.villasmil.work at gmail.com> wrote:
>
> IMHO, a demo config shouldn't be shipped out by default, it's very risky.
> If everyone using freeswitch (or any other softswitch for that matter) for
> the first time was a seasoned sysops, then yes. But this is very much not
> the case.
>
> So maybe it would be safer for everyone to ship it out with a locked-down
> config, so that user WILL learn how fs works by having to open features one
> at a time... and then describe in the wiki how to implement the demo config
> from a git repo.
>
> This way EVERYONE using fs for the first time Will know they are using a
> demo config with everything defaulted and "open"...
>
> But this is just my opinion.
> On Tue, Mar 14, 2017 at 9:58 PM Giovanni Maruzzelli <gmaruzz at gmail.com>
> wrote:
>
> btw the problem is always with users/customers that change the demo
> password "1234" (where there is a delay of 10 seconds put there by this
> purpose)  to something like "password".
>
> And what I can do about this?
>
> I will put a safeguard against silly passwords, and you will make the
> effort to circumvent also that safeguard because "is easier for my users"?
>
> On 14 March 2017 at 21:56, Giovanni Maruzzelli <gmaruzz at gmail.com> wrote:
>
> NO, the default password of the demo configuration is just that, a DEFAULT
> password of a DEMO configuration.
>
> That is meant to DEMO just OUT OF THE BOX
>
> So, it must stay this way, because it just works, and is a demo
>
> Then, if you put a demo in production, the problem is between the monitor
> and the seat, not in the software
>
> On 14 March 2017 at 21:46, David Villasmil <david.villasmil.work at gmail.com
> > wrote:
>
> Make the default password very obscure ramdomized on the fly... that way
> people will be crying because they can't figure out a password instead of
> having noobies hacked :)
>
> On Tue, Mar 14, 2017 at 9:40 PM Mirko Brankovic <mirkobrankovic at gmail.com>
> wrote:
>
> Indeed ;)
>
> On Mar 14, 2017 20:38, "Antonio Silva" <asilva at wirelessmundi.com> wrote:
>
> almost... until the user to test set userid = password ... and forget to
> change it... ops... hacked...
>
> it's all about good practices.
>
> Regards,
> António
>
> On 03/14/2017 07:39 PM, Mirko Brankovic wrote:
>
> Cance default password to uuid(), so every new install will get random one
> ... Bulletproof :°D
>
> On Mar 14, 2017 19:30, "Brian West" <brian at freeswitch.org> wrote:
>
> This is exactly what prompted me to put the FOUR LINE CRIT statement when
> the default password isn't changed along with a 10 second delay before
> proceeding.  Still I see questions posted about the 10 second delay and
> asking what it means. Not sure how to make it more clear.
>
> /b
>
>
> On Tue, Mar 14, 2017 at 1:19 PM, Giovanni Maruzzelli <gmaruzz at gmail.com>
> wrote:
>
> Is nice because they mention FreeSWITCH in the tag of the link, but the
> link is about FreePBX.
>
> Anyway, it's true: if you do not use the standard security practice, and
> leave your FreeSWITCH with standard password "1234", or maybe you change
> the standard password to "password", you probably will be hacked, and phone
> calls will be originated from your FreeSWITCH that you do not want to
> originate.
>
> But, man, that's what you, and me, and anyone is expecting.
>
> Also, please do not drive wrong way in the autobahn :))
>
> -giovanni
>
>
> On 14 March 2017 at 16:42, Mario G <mario_fs at mgtech.com> wrote:
>
> Thought some may be interested in this. I first saw it today via Apple
> News… Related to tracing bomb threats and Jewish attacks… FreeSWITCH
> mentioned twice.
>
> http://www.theverge.com/2017/3/14/14913118/jcc-bomb-threats-anonymous-phone-calls-pdx-hacking
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170315/df6d71e1/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list